Interface PKCS7SignatureHandler.SigningEngine
-
- Enclosing class:
- PKCS7SignatureHandler
public static interface PKCS7SignatureHandler.SigningEngineThis interface defines the engine used to actually sign a PDF. TheAcrobatSignatureHandlerFactory.createSigningEngine(java.security.KeyStore, java.lang.String, char[], java.lang.String)method will return an instance of this interface to do the signing. If a custom method of signing is required, for example on a remote server, this is the interface that will need implementing- Since:
- 2.22
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static classPKCS7SignatureHandler.SigningEngine.TypeAn enum that determine which type of PKCS7 Signature structure will be embedded with a SigningEngine
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description List<X509Certificate>getCertificates()Return the full list of X.509 certificates to be embedded into the signature.List<X509CRL>getCRLs()Return a list of X.509 CRL objects that should be used if required, ornull.StringgetDigestEncryptionAlgorithm()Return the Digest Encryption algorithm of the signature returned fromsign(byte[]), eg "SHA1withRSA", "SHA1withDSA", "SHA256withECDSA", or an ASN.1 OID representing the same, eg "1.2.840.113549.1.1.5".MessageDigestgetMessageDigest()Return a new MessageDigest to be used to compute the signature.List<PKCS7SignatureHandler.OCSPResponse>getOCSPResponses()Return a list of OCSP responses that should be used if required, ornull.byte[]getTimeStampResp(byte[] digest)Return an ASN.1 encoded "TimeStampResp" (as defined in RFC3161) to be embedded in the PKCS#7 object, ornullif the signing process should use the default method for getting timestamps, i.e. retrieving them from theAcrobatSignatureHandelrFactory#getTimeStampServers.PKCS7SignatureHandler.SigningEngine.TypegetType()Return the type of object returned from thesign(byte[])methodvoidsetPassword(PasswordCallback callback)Set the password on the suppled PasswordCallback.byte[]sign(byte[] data)Actually sign the supplier data and returned the signature.
-
-
-
Method Detail
-
getType
PKCS7SignatureHandler.SigningEngine.Type getType()
Return the type of object returned from thesign(byte[])method
-
getMessageDigest
MessageDigest getMessageDigest() throws NoSuchAlgorithmException
Return a new MessageDigest to be used to compute the signature. This will be called once per signature. Note in 2.28 the "throws NoSuchAlgorithmException" was added to the method signature- Throws:
NoSuchAlgorithmException
-
getCertificates
List<X509Certificate> getCertificates() throws IOException, GeneralSecurityException
Return the full list of X.509 certificates to be embedded into the signature. This must include any certificates required to certify the signature up to the root certificate, and includes Certificates for any OCSP responders that would be queried as part of the Certificate verification process. The signing Certificate must be item 0 in the list.
The one exception to this is if
getType()returnsPKCS7SignatureHandler.SigningEngine.Type.PKCS7_COMPLETE, in which case this method may return null.This method will be called multiple times, so the object returned from this method should be stored locally.
- Throws:
IOExceptionGeneralSecurityException
-
sign
byte[] sign(byte[] data) throws IOException, GeneralSecurityExceptionActually sign the supplier data and returned the signature.
The exact format of the returned item will vary depending on the
getType(), but is typically the output of theSignature.sign()method. For RSA signatures this equates torsa(pad(DigestInfo)), which is effectivelyrsa(pad(asn1sequence(asn1sequence(algorithm, NULL), digest))), wherersais the RSA algorithm,padis the PKCS#1 1.5 padding algorithm,algorithmis the hash algorithm OID, anddigestis an ASN.1 Octet string representing the digest of the data supplied to this method.The one exception to this is if
getType()returnsPKCS7SignatureHandler.SigningEngine.Type.PKCS7_COMPLETE, in which case this method should return the entire PKCS#7 object to embed in the PDF.This method may be called with a null argument for the data, in which case the API is attempting to determine the size of the signed object for space allocation in the final PDF. If an accurate estimate can be made, the returned array should be of the correct length (the contents of the array do not matter in this case). If no estimate can be made this method should return a zero-length array.
Note that prior to 2.28.7, the API docs incorrectly described the parameter as the "digest". It is not the digest, it is the data to digest.
- Parameters:
data- the data to sign, or null if it's a test run to determine size.- Returns:
- the signed object, as determined by the
modeof this object - Throws:
IOExceptionGeneralSecurityException
-
getTimeStampResp
byte[] getTimeStampResp(byte[] digest) throws IOException, GeneralSecurityExceptionReturn an ASN.1 encoded "TimeStampResp" (as defined in RFC3161) to be embedded in the PKCS#7 object, or
nullif the signing process should use the default method for getting timestamps, i.e. retrieving them from theAcrobatSignatureHandelrFactory#getTimeStampServers. Most implementations will simply return null here.Like
sign(byte[]), this method may be called with a null digest - if so the size of the returned array will be used to estimate how much space to allocate in the PDF. If this is not known, a zero-byte array should be returned.To help clarify this, here's a list of the possible inputs and outputs to this method, and what they mean.
input output explanation null null the API is trying to find out how big a TimeStamp would be if we were signing, and the null response means "there will be no timestamp" null byte[0] the API is trying to find out how big a TimeStamp would be if we were signing, and the zero-length response means "there will be a timestamp, but the only way to know how big it will be is it sign something" null byte[n] the API is trying to find out how big a TimeStamp would be if we were signing, and the non-zero-length response means "there will be a timestamp, and it will be the same size as this byte array" byte[n] null this is a real TimeStamp request. The null response means this signature is not timestamped byte[n] byte[n] this is a real TimeStamp request. The non-zero-length response is the actual TimeStamp to embed Note that prior to 2.28.7 a return value of "null" meant "no timestamp", not "ask the factory"
- Parameters:
digest- the digest to sign, or null if it's a dummy.- Returns:
- null to mean "ask the factory", a zero-byte array to mean "timestamp of unknown size", or a non-zero byte array which is the TimeStamp response
- Throws:
IOExceptionGeneralSecurityException
-
getDigestEncryptionAlgorithm
String getDigestEncryptionAlgorithm()
Return the Digest Encryption algorithm of the signature returned fromsign(byte[]), eg "SHA1withRSA", "SHA1withDSA", "SHA256withECDSA", or an ASN.1 OID representing the same, eg "1.2.840.113549.1.1.5".
-
setPassword
void setPassword(PasswordCallback callback)
Set the password on the suppled PasswordCallback. This is required because some types of PKCS#11 token require a second login immediately before the "sign" call. For SigningEngines unconcerned with PKCS#11, this method can be a no-op.- Since:
- 2.25
-
getOCSPResponses
List<PKCS7SignatureHandler.OCSPResponse> getOCSPResponses() throws IOException, GeneralSecurityException
Return a list of OCSP responses that should be used if required, ornull.- Throws:
IOExceptionGeneralSecurityException- Since:
- 2.28
-
getCRLs
List<X509CRL> getCRLs() throws IOException, GeneralSecurityException
Return a list of X.509 CRL objects that should be used if required, ornull.- Throws:
IOExceptionGeneralSecurityException- Since:
- 2.28
-
-